Access Control Concepts

      +

      An introduction to the key concepts behind the provision of effective access control in Sync Gateway
      The sync function API provides several methods that you can use to validate and control user access to databases and documents.

      Access Control Model

      Concept

      You control document access by routing it to a channel and by making that channel accessible to the users or roles you want to be able to access documents of that type.

      Model

      In the Couchbase Mobile ecosystem access to documents is governed by three key entities: users, roles and channels.

      Access Control Model

      Access

      Conceptually, the channel can be considered as a tag associated with a document. Every document processed by the Sync Gateway is assigned to a channel (user-defined or system-defined). A channel is the fundamental way to segregate documents and for enforcing access control.

      Every Sync Gateway user is granted access to zero, one or more channels. It is the channels membership that determines the documents users can access — as illustrated in Access Control Model

      A Sync Gateway role is a way of logically grouping users. Like the channel, a role is granted access to zero, one or more channels.

      A user can only read documents that are in at least one of their assigned channels; whether directly or as part of an assigned role.

      Sync Function Examples

      Couchbase Sync Gateway defines a Sync Function at the collection level. Defining at this level helps simplify data management and improve data reliability. Each collection in the system allows for only one Sync Function, which enables the specification of Access Control rules.

      Example 1. Default Sync Function
      function (doc, oldDoc, meta) {
         channel(CollectionName);
      
      }

      Here the function then calls the channel and passes in the name of the collection (CollectionsName) as an argument.

      By default, every document in the collection is automatically assigned to a channel with the same name as the collection. This system automatically creates a channel with the collection’s name. The assignment of all documents to the collection channel is functionally similar to assigning them to the Star Channel.

      To override this, use a custom sync function or a Specified Default Sync Function.

      Example 2. Upgraded Default Sync Function
      function (doc, oldDoc, meta) {
         channel(doc.channels);
      
      }

      Here is the default Sync Function when you have upgraded; it remains the same as the previous version.

      Context

      You control document access by routing it to a channel and by making that channel accessible to the users or roles you want to be able to access documents of that type.

      Sync Gateway

      All users can implicitly access any document in the public channel. In addition, there can be user-defined channels that users can be assigned to.

      Once a user is granted access to a new channel, the next replication pull request from the client will retrieve all documents to which the user now has access.

      Revoking access to a channel means that users who previously used the channel to get replicated documents will no longer see any synced updates.

      Note that access grants neither confer, nor constrain, the type of access. Instead you can explicitly implement write access controls within the Sync Function; perhaps restricting updates to specific users or roles — for more on this see Control Write Access.

      Couchbase Lite

      By default, Couchbase Lite gets all the channels to which the configured user account has access. Optionally, a Couchbase Lite "pull" replication can also specify a comma-separated list of channel names to receive documents from. In this case, the replication from Sync Gateway will only pull documents tagged with those channels. Client apps can use this ability to intelligently sync with a subset of the available documents from the database.

      Channel Access Revocation

      3.0 Breaking Change
      Whenever a user loses access to a channel (or channels) all document in the channel(s) are auto-purged from local Couchbase Lite databases.
      In Sync Gateway 2.x these documents remain in the local database on channel access loss.

      Users may lose access to documents for many reasons, including:

      • The User loses direct access to channel

      • The User is removed from a role

      • A role the user belongs to is revoked access to channel

      By default, when a user loses access to a channel, the next Couchbase Lite Pull replication auto-purges all documents in the channel from local Couchbase Lite databases (on devices belonging to the user) unless they belong to any of the user’s other channels — see: Table 1.

      Table 1. Sync Gateway behavior following access revocation
      System State Impact on Sync

      Replication Type

      Access Control on Sync Gateway

      Expected behavior (auto-purge enabled- default)

      Pull only

      User revoked access to channel.

      Sync Function includes requireAccess(revokedChannel)

      Previously synced documents are auto purged on local

      Push only

      User revoked access to channel.

      Sync Function includes requireAccess(revokedChannel)

      No impact of auto-purge

      Documents get pushed but will be rejected by Sync Gateway

      Push-pull

      User revoked access to channel

      Sync Function includes requireAccess(revokedChannel)`

      Previously synced documents are auto purged on Couchbase Lite.

      Local changes continue to be pushed to remote but are rejected by Sync Gateway

      Provisioning

      • Channel — the channels topic discusses how channels are created and how documents can be assigned to channels.

      • User — the user topic discusses provisioning of users and providing users access to channels.

      • Role — the role topic discusses roles, assignment of users to roles created and providing roles access to channels.

      Channels

      Concept

      Sync Gateway uses Channels defined at collection level to make it easy to share a database’s documents across a large user base whilst retaining effective access control. They serve as a security conduit between the document and a user:

      Overview

      Channels are defined at the collection level, which means that specific channels can be associated with individual collections of documents. This system allows users with access to a specific channel to access all documents assigned to that channel within that collection.

      By defining channels at the collection level, it’s possible to implement detailed access control for different types of data within the database.

      You typically will use channels to:

      • Control who can access what

      • Partition your data set

      • Enable users to access just the documents they need

      • Minimize the amount of data synced to mobile devices

      Sync Gateway provides two special channels and a channel wildcard character.

      Sync Function Examples

      Couchbase Sync Gateway defines a Sync Function at the collection level. Defining at this level helps simplify data management and improve data reliability. Each collection in the system allows for only one Sync Function, which enables the specification of Access Control rules.

      Example 3. Default Sync Function
      function (doc, oldDoc, meta) {
         channel(CollectionName);
      }

      Here the function then calls the channel and passes in the name of the collection (CollectionsName) as an argument.

      By default, every document in the collection is automatically assigned to a channel with the same name as the collection. This system automatically creates a channel with the collection’s name. The assignment of all documents to the collection channel is functionally similar to assigning them to the Star Channel.

      To override this, use a custom sync function or a Specified Default Sync Function.

      Example 4. Upgraded Default Sync Function
      function (doc, oldDoc, meta) {
         channel(doc.channels);
      }

      Here is the default Sync Function when you have upgraded; it remains the same as the previous version.

      Use Case

      Imagine a database containing a collection of customer data. Within this collection, channels can be established to provide varying customer data access levels. For example, one channel may provide access to general customer information, while another may allow access to sensitive customer information. Users can then be granted access to one or both channels based on their need to access the associated data.

      Configuration

      • Version 3.x

      • legacy

      Access Control Points 3.x
      1 Using the Admin REST API:
      You can provide the admin_channels property using the Admin REST API endpoint (/{tkn-db}/_user/{name}).
      2 Programmatically using Access Grant Document:
      The Sync Function provides a flexible and secure method for controlling document access and routing. You can program it to derive appropriate access and channel routing information from document properties.
      Optionally, the access grant can be specified via a designated extended attribute (XATTR) — see: Use XATTRs for Access Grants for how to define the XATTR.
      Access Control Points pre 3.x
      1 Using the Admin REST API : You can provide the admin_channels property using the Admin REST API endpoint (/{tkn-db}/_user/{name}).
      2 Programmatically using Access Grant Document:  The Sync Function provides a flexible and secure method for controlling document access and routing.
      You can program it to derive appropriate access and channel routing information from data embedded within document properties.
      3 File-based Configuration Properties: This is only available in 3.x and is typically used for dev/test environments. You can do it in the Sync Gateway JSON Configuration File (Database Configuration ) by adding the appropriate channel to the user’s admin_channels property — see: user admin_channels.

      System Channels

      Public Channel

      The Public Channel ('!') — is a channel for publicly available documents. It is ideal for use in making information available across the user community.

      You assign a document to the public (!) channel using the channel() function.

      Documents assigned to this channel can be accessed by all users; even users assigned no specific channel access.

      New users are automatically granted access to the channel.

      All Documents Channel

      The All Documents Channel ('*') [1] — is a single, internal channel, comprising all documents from all channels.

      Assignment to this channel is automatic and implicit. You cannot explicitly assign documents to the channel or remove documents from it.

      This channel should not be confused with the use of the All Channels Wildcard in access grants.

      All Channels Wildcard

      The All Channels Wildcard ('*') — used when granting user access, this wildcard grants access to any document in any channel.

      You make dynamic user access grants in the sync function using the access() method.

      Granting a user access with the all channels wildcard gives them access to any channel, and any document in any channel, including those from private channels.

      Replications by users with all channels wildcard access will pull all documents. Because of this potential for syncing large volumes of data (sync pulls all documents in the bucket), users with all channels wildcard access should use a channel filter to explicitly name the channel(s) to be sync’d.

      Note: Users granted access using the all channels wildcard do not inherit requireAccess() rights to any specific channel.

      Always use a filter in conjunction with the all channels wildcard, to avoid sync unnecessarily pulling large numbers of documents to mobile devices.

      You assign documents to channels in the Sync Function.

      Channels are created as documents are assigned to them.

      Valid channel names consist of text letters [A–Z, a–z], digits [0–9], and a few special characters [= + / . , _ @]. Channel names are case-sensitive. Channels with no documents assigned to them are empty.

      Channel Limits

      Table 2. Guidance on Channel Assignment Limits
      Element Limiting factor Guidance Limit (Channels)

      Channels per document

      The amount of memory consumed by the combined number of channels and access grants must fit within the maximum 1Mb xattr size limit — see: Table 3.

      50

      Channels per user

      The amount of memory consumed by channels must fit within the 20 MB available on Couchbase Server docs for storing metadata — see: Table 3
      Note that the memory is retained for as long as the replication remains active.

      1,000

      Sync Metadata Limits

      Every time a document is assigned to a new channel, the channel name is appended to that document’s sync metadata.

      Therefore, a document’s set of channels is limited by the allowed sync metadata size described in Table 3.

      Table 3. Size Limits for Sync Metadata
      Value of enable_shared_bucket_access Size (Mb per Document)

      false

      20

      true

      1

      Sync Gateway will assign a document to a new channel as long as the sync metadata remains under the allowed limit.

      What to do when your channel count exceeds the usable space for sync metadata?

      In order to lower the sync metadata size per document, you can do one of the following:

      • Lower the number of channels per document.

      • Shorten the channel names. A shorter channel name will occupy less space ("customer==0030169303" vs "cs==0030169303").

      • Lower the revs_limit value. Indeed, a copy of channel metadata is retained for each revision of a document.

      Users

      Concept

      Users are one of the cornerstone concepts of access control. You can restrict document access to specific users and-or to users with specific roles.

      As an entity a user comprises a name, password, list of Roles and a list of Channels.

      Sync Gateway Users

      Sync Gateway users and roles have no relationship to Couchbase Server’s RBAC (Role-based Access Control) users. They are created and operate solely within the Sync Gateway ecosphere to govern access to replication data and to the Public API.

      Granting access to a channel in Couchbase Sync Gateway allows users to access all documents assigned to that channel, which are part of specific collections. If granting users access to admin channels statically, it is necessary to specify both the corresponding collection and channel.

      Users can also be assigned to zero or more Roles. A user inherits the channel access of all roles it belongs to. This is very much like Unix groups, except that roles do not form a hierarchy.

      Sync Gateway user credentials can be used to authenticate access to the Public API; RBAC users are required for access to other API.

      RBAC Users

      Couchbase Server RBAC user credentials are required to authenticate and authorize access to the Admin and Metrics API. You will need to create these users on Couchbase server in order to enable access — see: Create RBAC users for how to and Security Authorization Overview for more on RBAC user authentication.

      Roles

      Concept

      Roles are named collections of Channels. They enable the grouping together of Users with similar characteristics, which makes the management of large user populations easier.

      A Role and a user assigned to a Role is granted access to a channel, a part of collections. The user can then access all documents assigned to that channel. When granting user access to admin channels statically, the user must specify the collection and corresponding channel.

      As an entity, roles comprise a name and a list of channels.

      Any user associated with a role inherits the right to access any of the channels in the role’s list. This provides a convenient way to associate multiple channels with multiple users.

      Roles have a separate namespace from users, so it’s possible to have a user and a role with the same name.